Monday, October 16, 2017

University calendars display student info

Until yesterday, anyone with a Brandeis email account had access to the private information of students, faculty and administrators through the University’s Google Calendar network.

Administrative calendars publicly displayed full names and phone numbers of some students and parents, as well as detailed family financial situations and student disability accommodation needs. While faculty and staff have since received directions for locking their calendars, students had not been informed of this issue as of press time.

The greatest quantity of unsecured data appeared in calendars for Student Accessibility Support and the Office of Student Financial Services, where students’ personal information could be found on open staff calendars dating back to 2012.

“Having trouble paying for books, potential for more aid,” read one meeting description in the calendar of an SFS employee. Another meeting noted: “Father of [student name redacted] job loss. Discussion of further aid possibilities.”

Sensitive student information was also accessible on a Student Accessibility Support employee’s calendar, which contained meeting descriptions such as “Figure out executive function challenges” and “Mother of [Student name redacted] - re: disability services for Aspergers… Please Call [phone number redacted].” Dozens of similar entries containing some combination of students’ full names, phone numbers and class years were visible on calendars in both departments.

“It’s a total violation of everyone’s privacy. ... The fact that they keep these records open for everyone is terrifying. It’s disgusting,” said Danielle Lebowitz ’19, who mentioned in an interview with the Justice that she had received academic accommodations in the past.

A Justice review of employee calendars across University administrative departments revealed that at least 26 staff kept their calendars on the default setting, “Share this calendar with everyone in the organization Brandeis University.” Most senior administrators had locked calendars which prompted users to request access, while other staff enabled a security feature that marks time slots as “busy” without showing the nature of the event.

In addition to the student data displayed on administrative staff calendars, an assortment of work-related and personal information was visible on faculty members’ calendars. Faculty members’ schedules frequently contained various academic and professional obligations, often including the purposes of specific meetings with students and staff. Flight numbers, doctor’s appointments, vacation plans and other private events were also left public in some calendars.

The Justice requested comment from Student Accessibility Support shortly after 9 a.m. on Monday. Less than an hour later, Executive Vice President of Finance and Administration Stewart Uretsky sent an email to all faculty and staff with instructions on how to change Google Calendar security settings.

“It has come to our attention that some individuals are not aware their calendars are publicly available to the Brandeis community. Please check your Google Calendar settings now to be sure your calendar is available only to those individuals you choose to have access,” Uretsky wrote.

In another email on Monday night, Uretsky informed faculty and staff that Information Technology Services would reset all public calendars to the “busy” privacy setting — hiding all personal information — and that this would be the default for all University calendars in the future. He did not specify when the change would occur. He also mentioned that “in order to be in compliance with various regulatory requirements,” no personal identifiable information, including names, can be publicly available without student permission.

As of press time, calendars for SAS and SFS staff had been locked to ensure that student information was no longer viewable.

“We have conducted a review of all calendars in the Student Accessibility Support office, and what you described was isolated to one calendar,” Director of Student Accessibility Support

Beth Rodgers-Kay wrote in an email to the Justice. “The settings for that calendar were immediately updated to private, and all calendars in the office are now set to private.”

In a separate email to the Justice, Executive Director of Student Financial Services Sherri Avery wrote that SFS “has reviewed all of our calendars and have made adjustments to ensure that all are set to private.”

In addition to SFS and SAS, several employees in the International Business School, The Health Center, Undergraduate Admissions, The Division of Business and Finance and the Heller School for Social Policy and Management had open calendars that did not reveal private student information but listed staff meetings or personal plans.

According to Maryam Chishti ’20, one of the students whose personal data appeared on the calendars, the incident should spark community-wide dialogue about privacy.

“I think we as a University should figure out what we want our general consensus around calendars to be and what we want our privacy settings to be,” Chishti said in an interview with the Justice. “We should come together as a collective community and say, ‘What do we want to do about this? Were we aware that all of our calendars are open to the public? And if we don’t want that, how should we change it?’”

Students, faculty and staff wishing to change their sharing settings can do so by logging into Google Calendar with their University emails and changing their default settings.